Exploit-Me Firefox XSS and SQL scanning addon


One of the best tools we saw at LayerOne was the Exploit-Me series presented by [Dan Sinclair]. Security Compass created these tools to help developers easily identify cross site scripting (XSS) and SQL injection vulnerabilities.

XSS-Me is a Firefox add-on that loads in the sidebar. It identifies all the input fields on a page and iterates through a user provided list of XSS strings: opening new tabs and checking the results. When this process completes you get a report of what attacks got through, what didn’t, and what might have. The upcoming 0.3 version will use heuristics to determine what characters can be used and automatically skip attack strings that won’t get through.

The SQL Inject-Me works almost exactly the same way. It does require a little planning though: you need to tell it what you expect the results page to look like when an attack gets through.

The newest tool, Access-Me, surfs along with you while you’re authenticated to a website and checks whether you can see the same page unauthenticated.

Comments

  1. ~SB says:

    are these safe,
    i mean no malicious activity in the background…

  2. Nick Fury says:

    I saw Dan present this at CarolinaCOn this past year along with a friend of his named Sahba (I hope I spelled that right). It was a really interesting concept and led to some great questions from the audience.

  3. John Berube says:

    @SB: Well you can download the source

  4. Hali says:

    Beware, when I clicked the link to download this firefox plug-in, it dumped a file called “xm86zte5.exe” on my desktop. I purged the file immediately. Not sure what it does but that was unexpected behaviour. This may be a malicious site.

  5. dan sinclair says:

    @sb: All of the tools are open sourced so if you’re concerned with malicious activity you’re free to audit the tools as you want. We’ve been careful to remove anything that might be thought to track people. That’s why we don’t have any of the XSS attacks that reference external .js files included by default.

    @hali: Out of curiosity, where did you download the .xpi file from? Are you trying to say that running the xpi added a file to your desktop or it somehow downloaded a secondary file?

    The Exploit-Me files are .xpi files. They aren’t exe’s. They only run within Firefox.

  6. doudou says:

    very nice tool , no malicious activity keep it up .

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 96,409 other followers